]> git.ipfire.org Git - thirdparty/grub.git/commit
projects / thirdparty / grub.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ad0c527) | patch
util/grub-protect: Add new tool
authorHernan Gatta <hegatta@linux.microsoft.com>
Fri, 15 Nov 2024 07:34:53 +0000 (15:34 +0800)
committerDaniel Kiper <daniel.kiper@oracle.com>
Thu, 28 Nov 2024 20:50:55 +0000 (21:50 +0100)
commit5f6a2fd513e649e5750242f9e59d1294dfb0c855
treeea5d346428c9d8f098d6ebbc3312a74d8aff5427tree
parentad0c52784a375cecaa8715d7deadcf5d65baf173commit | diff
util/grub-protect: Add new tool

To utilize the key protectors framework, there must be a way to protect
full-disk encryption keys in the first place. The grub-protect tool
includes support for the TPM2 key protector but other protectors that
require setup ahead of time can be supported in the future.

For the TPM2 key protector, the intended flow is for a user to have
a LUKS 1 or LUKS 2-protected fully-encrypted disk. The user then creates
a new LUKS key file, say by reading /dev/urandom into a file, and creates
a new LUKS key slot for this key. Then, the user invokes the grub-protect
tool to seal this key file to a set of PCRs using the system's TPM 2.0.
The resulting sealed key file is stored in an unencrypted partition such
as the EFI System Partition (ESP) so that GRUB may read it. The user also
has to ensure the cryptomount command is included in GRUB's boot script
and that it carries the requisite key protector (-P) parameter.

Sample usage:

  $ dd if=/dev/urandom of=luks-key bs=1 count=32
  $ sudo cryptsetup luksAddKey /dev/sdb1 luks-key --pbkdf=pbkdf2 --hash=sha512

To seal the key with TPM 2.0 Key File (recommended):

  $ sudo grub-protect --action=add \
                      --protector=tpm2 \
                      --tpm2-pcrs=0,2,4,7,9 \
                      --tpm2key \
                      --tpm2-keyfile=luks-key \
                      --tpm2-outfile=/boot/efi/efi/grub/sealed.tpm

Or, to seal the key with the raw sealed key:

  $ sudo grub-protect --action=add \
                      --protector=tpm2 \
                      --tpm2-pcrs=0,2,4,7,9 \
                      --tpm2-keyfile=luks-key \
                      --tpm2-outfile=/boot/efi/efi/grub/sealed.key

Then, in the boot script, for TPM 2.0 Key File:

  tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub/sealed.tpm
  cryptomount -u <SDB1_UUID> -P tpm2

Or, for the raw sealed key:

  tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub/sealed.key --pcrs=0,2,4,7,9
  cryptomount -u <SDB1_UUID> -P tpm2

The benefit of using TPM 2.0 Key File is that the PCR set is already
written in the key file, so there is no need to specify PCRs when
invoking tpm2_key_protector_init.

Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
.gitignore diff | blob | blame | history
Makefile.util.def diff | blob | blame | history
configure.ac diff | blob | blame | history
docs/man/grub-protect.h2m [new file with mode: 0644] blob
util/grub-protect.c [new file with mode: 0644] blob
Mirror of https://git.savannah.gnu.org/git/grub.git